Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

what is the goal of go sdk browser flows? isnt browser flows for browsers only? a request made with go sdk will always be a server side request

go can still render an HTML page with a login form on it :thinking_face:

but the request would still happen on a server, right?

not necessarily, the form can POST directly to Kratos

the creation of the browser flow, yes. but the submission of the browser flow, not necessarily

is it ok to do everything on the server?

the browser hits my api and i serve a flowid and csrf token using sdk in the server, then browser sends me an email/password and i submit it using go sdk

I know that Ory recommends using the browser flows when login is performed via a browser, but we are about to use the API flows

so yes, it's possible. but you should ensure that CSRF protections are in place and any issued cookies are secure and HTTP only :shrug:

what im doing is, i relay the cookies from the http response coming from the api

the drawback is that on registry, the requester user agent (and maybe other info) will always be the server

You could pass those headers through as well.